b"                          United States Department of Agriculture\n                                 Office of Inspector General\n                                  Washington, D.C. 20250\n\n\nDATE:         January 31, 2013\n\nAUDIT\nNUMBER:       88501-0001-12\n\n\nSUBJECT:      Review of Selected Controls of the eAuthentication System\n\nThe Office of Inspector General (OIG) review of the Department of Agriculture\xe2\x80\x99s (USDA)\neAuthenticiation (eAuth) system evaluated the Office of the Chief Information Officer\xe2\x80\x99s (OCIO)\ncontrols over the system\xe2\x80\x99s security. The eAuth system was created in 2003 to provide users with\na single user name and password that allows them to access over 400 USDA web-based\napplications. The eAuth system generally operated effectively, efficiently, and in accordance\nwith guidance. However, we found that improvements to the eAuth system\xe2\x80\x99s internal controls\ncould make critical USDA program and financial information less vulnerable to compromise.\nWhile Federal agencies are required to use National Institute of Standards and Technology's\n(NIST) recommended controls to reduce risks to Federal systems, we found that OCIO did not\nimplement some of the required NIST controls. This occurred because, although OCIO\nmanagers and staff were aware of the requirements, they did not perform a systematic review of\nthe NIST requirements when designing, building, and maintaining the eAuth system. Without\nincorporating applicable NIST controls, the eAuth system could be at greater risk to incidents\nsuch as security breaches or service outages that negatively impact access to over 400 USDA\nsystems. The agency agreed with all recommendations.\n\nThis report is not being publicly released due to the sensitive security information it\ncontains.\n\x0c"